Initiation in Savant
When a user clicks “Authenticate” for Slack in Savant, the application launches an OAuth 2.0 process. Savant constructs a Slack authorization URL with the following parameters:
client_id
redirect_uri
scopes
state (CSRF protection / request correlation)
Slack Authorization Endpoint
https://slack.com/oauth/v2/authorize
Sample Authorization URL (format)
https://slack.com/oauth/v2/authorize?client_id=XXX&scope=channels:read,channels:join,groups:read,chat:write,files:write,remote_files:write,im:read,mpim:read,users:read&redirect_uri=YYY&state=ZZZ
Scopes Requested
Savant requests scopes required to list conversations/users and support messaging and file workflows:
channels:read, channels:join
groups:read
im:read, mpim:read
users:read
chat:write
files:write, remote_files:write
User Login and Consent
The user is redirected over HTTPS to Slack’s secure OAuth consent screen. The user selects the Slack workspace and approves the requested permissions for Savant’s Slack app. All interactions during this step are handled by Slack over TLS (HTTPS).
Authorization Code Flow and Token Issuance
After you approve access in Slack, Slack securely sends Savant a one-time confirmation that you completed the authorization.
Savant then uses that confirmation to complete the connection behind the scenes:
Savant requests a secure access credential from Slack that proves Savant is authorized for your workspace.
Slack returns an access token (used to make Slack API requests) and, when supported, a refresh token (used to renew access automatically when the access token expires).
Savant stores these credentials securely and associates them with your Slack workspace, so Savant can continue to access Slack without asking you to log in every time.
What this means for you
You only need to authorize once in most cases.
Savant can keep the connection working automatically by renewing access when needed.
Savant can only do what you approved during authorization (based on the permissions/scopes you granted).
Token storage and keeping your Slack connection active
After you authorize Slack, Savant securely stores the connection details so we can continue to access your workspace without asking you to sign in repeatedly. This includes:
Access token (used to make Slack API requests)
Refresh token (used to renew access automatically)
Token expiry time
Slack workspace ID and name
The permissions (scopes) you approved
Proactive token renewal (to avoid interruptions)
Slack access tokens expire, so Savant refreshes them automatically before they expire. We also use a safety buffer (e.g., if a token is close to expiring) to reduce the chance of failures during multi-step workflows.
Reliability at scale (prevents refresh conflicts)
In environments with multiple Savant services running, Savant ensures only one refresh happens at a time per Slack workspace. This prevents duplicate refresh attempts and helps keep the connection stable.
Handling Slack refresh token rotation
Slack can occasionally issue a new refresh token when renewing access and invalidate the old one. Savant automatically tracks and updates to the latest refresh token so your Slack connection doesn’t break unexpectedly—even if you have multiple Savant connections tied to the same Slack workspace.
Security and permission controls
Encrypted in transit: All Slack authentication and API traffic happens over HTTPS.
Secure storage: Tokens are protected on the backend (including encryption for refresh tokens) and are never logged in full.
Permission-based access: Savant can only perform actions you approved in Slack. For example:
Posting messages requires chat:write
Reading channels requires channels:read
Reading users requires users:read
If permissions are removed or changed in Slack, Savant may require you to re-authorize to restore functionality.